Early one morning, Don was ushered into a closed-door meeting with the Chief Finance Officer, the CIO,
Question:
Early one morning, Don was ushered into a closed-door meeting with the Chief Finance Officer, the CIO, and an external security auditor he hadn't met before. In the meeting, Don learned that a large amount of data, including the PII, was exported from the system. The previous day Gary was going through the logs to see if the patch he applied worked correctly, and he noticed that someone in the administrator group had exported a large amount of data at an odd time. Gary reasoned that no one should be accessing the system at 2 am, and he was concerned because a large amount of data was exported. After bringing up the issue to management, it was decided that the Finance division would investigate the issue. Therefore, the responsibility to figure out exactly what happened fell on Don. He was asked to work with an auditor to find out exactly what happened. Don left the meeting feeling overwhelmed and disconcerted; he knew nothing about security practices and he wasn't happy about working with the auditor. He had recently inherited the system and didn't know much about it. He did know that he had to find the source of the leak before more student information was lost and he knew his job might be on the line.
The auditor decided to interview the users of each business unit. At a basic level, he wanted to figure out if the leak was an internal job or ifTKU had fallen victim to a hacker. So, he wanted to see the different entry points that a potential hacker could get access to the system. The auditor and Don started the audit process by going through the system. They checked the user accounts and found multiple points where a hacker could have entered the system. They found over 50 orphan accounts, which are accounts that had been set up but never used. When an account is set up, the policy is for the system administrator to provide the same generic password. Once a user logs into the system, they are prompted to enter a new password. Since none ofthese accounts were used, all ofthe accounts had the same password. A hacker could have easily cracked the generic password and gotten access to the system. the system was accessed by a variety of users. They were spread out between Information Technology, Finance, and the Administrative Support Divisions, so finding the exact users would be difficult. Anyone in these divisions could be the source of the leak. Don and the auditor didn't know how they were going to trace the culprit, but they knew they had a daunting task.
Throughout the process, the auditor found countless examples of lax information security throughout the organization. There was a lack of a coordinated security policy, and the policies in place were not being followed. It was eventually proven that the contractor stole the information. The contractor was hired to over-see the upgrade of servers on the storage network. While doing this, she learned about the transaction management system. She knew PII could be sold on the black market and thought the lax security at TKU would enable her to get away with stealing data without any repercussions. Her only obstacle was access. Since she only had access to the storage network, she needed a way to get access to the transaction management server. That's when she called the system administrator and got the IP address and tried to get his login credentials. Once she got the IP address, she was able to utilize the free tools available on the Internet to scan the system and get the username and password with administrative access. It took her only a matter of minutes to get this information. The password was only three characters long and didn't use any numbers or special characters.
Questions
- The case given above revealed that there was a lack of information security policy in the organization. Explain why the information in an organization needs to be protected and the role of information security policy.
- From the case study given, identify two information security issues that the organization had and for each suggest how each issue could be improved so that future information breaches can be avoided.
- Information technology has brought itself a lot of information security issues. Describe three types of authentication that are used today in organizations.